How Paypal Manages Fraud Risk

Paypal Inc.’s business model depends on ease of use, but not for payment frauds. Chief Risk Officer Tomer Barel and Senior Director of global risk sciences Dr. Hui Wang talked with Risk & Compliance Journal about how Paypal strikes the balance between customer convenience and security.

What are the most important risks for Paypal?

Mr. Barel: Paypal is predominantly a payment service, and the key risk we face is that either party to the transaction does not fulfill its obligation. On the consumer side the most typical is a fraud situation, such as identity fraud. In other cases, they are who they claim to be but do not pay because the bank account is not operating, or they systematically file claims that they did not get merchandise when they did. On the other side, the seller does not fulfill his obligation, gets the money but does not ship the goods. We provide buyers full protection against fraud and merchants get significant protection. But another area is credit risk. Paypal extends loans to both consumers and merchants, predominantly but not only in the U.S.

How do you defend against these risks?

Mr. Barel: Given that Paypal is an online service, and global, we face significant pressure. It’s easy to open an account and start transacting--that is part of the business model. We early on took risk very seriously. The founders focused on managing risk, especially fraud risk. That led to our building a lot of the capabilities that allow us to manage risk in house. We have a large number of engineers and we view financial risk as very technology driven. What we find is that our ecosystem requires a very high level of investment in customizing solutions, because the threat is very significant and the economic structure in the payment space is such that the cost of mistakes is high. It’s easy to drift into killing a lot of good business if you don’t have high accuracy.

Dr. Hui Wang, senior director of global risk sciences, Paypal Inc.

Paypal Inc.

With respect to customization, what makes your risk technology different?

Ms. Wang: Prior to 2009, Paypal’s risk management system was built more or less upon what most industries are using out there. The industry standard was linear-based technology. Simply put, for example, if you’re looking at a piece of paper with green and red dots, and have to separate them, linear uses a straight line, but with nonlinear this line could be curved, or could be multidimensional. As we grow, we have a lot of different types of data coming our way. Non-linear can make use of this information better than traditional.

Could you give an example of what this means in practice?

Ms. Wang: Our fraud detection system is built upon a lot of data and when we look at a transaction we try to look at all aspects of the transaction. Let’s say we see a transaction coming in from New York, trying to buy something from California, and have it shipped to Michigan. In the traditional world people might think this is suspicious, but with our highly sophisticated enterprise system, we can triangulate. Maybe this guy is a student from Michigan buying a present for his parents. In the old days, the user would have had a challenge getting the payment through, or we’d have had to leverage our teammates in the operations center. But nowadays we can use science and know it’s OK, he is a good person, let him go.

So the new approach is better at clearing transactions that are not fraudulent, but what about those that are fraudulent?

Ms. Wang: Let’s say you buy something for $30,000. The dollar amount is a simple way to identify an anomaly. But what if it’s a lower dollar amount, such as making a $1.00 payment 20,000 times? It might sound crazy but it’s an effective way to stay under a traditional fraud detection system’s radar. We are now able to link a lot of these activities together and realize even though it is only $1.00 there are a lot of them out there, they come from the same shop, etc. This kind of triangulating was hard to do in the old legacy system.

How do you deal with know-your-customer requirements and money laundering risks?

Mr. Barel: We work very closely with regulators here in U.S. and elsewhere in the world. We are subject to the same regulatory regime as banks in money laundering. It is true that the way we know a customer is not the traditional way of meeting a customer and getting the customer to provide in the branch some physical evidence of identity. We think, though, that the amount of data we collect on the customer--some of it provided by the customer and verifiable, some of it data we use for purposes including fraud management--taken together provide us with good view of the customer identity.

(Gregory J. Millman is a senior columnist with Risk & Compliance Journal He is the author of The Vandals' Crown: How Rebel Currency Traders Overthrew the World's Central Banks, and several other books. He can be reached at +1 (212) 416-2352 or by email at gregory.millman@wsj.com Follow on Twitter @GregoryJMillman)